Pages

Tuesday, March 29, 2005

How good is your Reg-foo?

Yes, I'm still working on the Registry Analysis HOWTO, subtitled "Your Reg-foo is very good..." (remember the old, poorly-dubbed "BlackBelt Theatre"??). I'm using what I've got so far as a stepping off point for a presentation at work, then a similar presentation at a conference in June.

I've got some interesting tidbits so far...detecting deleted user accounts, mapping USB-connected storage devices, etc.

I was wondering that things you guys look for (or want to know more about) in the Registry.

Before you comment or email me...malware stuff is pretty passe. It's well known. We all know about the ubiquitous 'Run' key. So keeping that in mind, send in your tips...

3 comments:

  1. Anonymous1:22 PM

    Just a quick one for now, possibly well known, maybe not.

    Data found in "Count" keys - MRU items that are ROT13 "ciphered" - will be missed by standard string searching. Now why is that? >:)

    More info here: http://www.wilderssecurity.com/archive/index.php/t-11056.html

    And in your local registry hives. :)

    ReplyDelete
  2. Anonymous2:38 PM

    At a minimum, I'd like to see:

    * Every MRU list available This includes lists belonging to well known programs and any key involving the phrases "MRU" or "Most Recently Used". This should also pick up how many MRU entries are recorded. (For example, if ten are supposed to be recorded but there are only four entries, I want to know that.)

    * The identity of every USB device ever connected to the system, along with when. Preferrably with the manufacturer and model number highlighted.

    * A list of well-known programs that have ever been installed and whether or not they are still currently installed. Check for registry keys of MS Word, John the Ripper, AIM, et al, and see if they match known patterns of "currently installed" or "installed but then removed"

    * The customer name and company name used to register any software, such as MS Word or Adobe Acrobat.

    ReplyDelete
  3. Thanks, Cory and Jesse...

    Cory...yes, those keys are fairly well known, but not documented by MS.

    Jesse..."sometimes the world is not enough" (Pierce Brosnan as James Bond). ;-)

    ReplyDelete